Securing Your Content in Amazon S3

A CloudFront origin access identity is a virtual identity that allows CloudFront to fetch content from an Amazon S3 bucket. To use an origin access identity to secure your content in Amazon S3, you perform the following tasks:

After you remove public access to the Amazon S3 bucket, the CloudFront distribution is now the only way to access objects in your bucket. Adding signer accounts to the distribution configuration allows access only to users who have signed URLs.

You can have up to 100 CloudFront origin access identities, and you can attach each to one or more distributions. One origin access identity is usually sufficient, even for multiple distributions.

The following example depicts three different distributions.

	Distribution 1 is configured for public content. The object has an Amazon S3 ACL that grants everyone read permission. Anyone can access the contents of this distribution through Amazon S3 or through your CloudFront distribution.
	Distribution 2 is configured to read private content with signed URLs. This distribution is attached to CloudFront origin access identity A. The object has an Amazon S3 ACL that grants read permission to the identity. The content in this distribution cannot be accessed by anyone who doesn't have the signed URL.
	Distribution 3 is configured to read private content with public URLs. This distribution is also attached to CloudFront origin access identity A. The object has an Amazon S3 ACL that grants read permission to the identity. The content in this distribution is not private, but users can access it only through your CloudFront distribution (not through your Amazon S3 bucket).

You can create a CloudFront origin access identity using a POST on the 2012-05-05/origin-access-identity/cloudfront resource. You must provide a unique caller reference in the request, as you do when creating a distribution. You can optionally provide comments about the identity.

	Note
	Currently, the AWS Management Console doesn't support creating an origin access identity or updating a distribution to serve private content.

	Note
	The CloudFront API includes actions for creating and managing your CloudFront origin access identities. For more information, go to Actions on Origin Access Identities in the Amazon CloudFront API Reference.

Now that you have an origin access identity, you can create a distribution configured for private content. For more information, see Creating a Private Content Distribution.

A distribution can serve either public or private content as specified by configuration values. To configure a distribution to serve private content, you use your AWS account, or a trusted AWS account you specify, to get a key pair. (If you already have an RSA key pair, you can upload the public key to AWS.) You then use the private key from the key pair to hash a policy statement; the result is a signature that you use to authenticate that the policy was generated by a trusted signer and has not been tampered with.

A private content distribution looks like a public content distribution, except that it has an OriginAccessIdentity element in the configuration. You must specify the value for the element using the following format: origin-access-identity/cloudfront/ID.

To create a private content distribution, use the CloudFront API to create a new distribution or update an existing distribution and include an OriginAccessIdentity element. See the applicable topic in the Amazon CloudFront API Reference:

Now that you have created a distribution configured for private content, you need to set the ACLs on your Amazon S3 private content objects. For more information, see Updating Amazon S3 Bucket Policies or ACLs on Your Private Content Buckets or Objects.

After you create a private content distribution, you must update Amazon S3 bucket policies or ACLs to grant the CloudFront origin access identity the permissions necessary to access to the private content in Amazon S3. Note the following: